Date: Wed, 14 Oct 2020 02:37:40 +0100 From: tech-lists <tech-lists@zyxst.net> To: freebsd-pf@freebsd.org Subject: Re: pf and tap(4) interfaces Message-ID: <20201014013740.GA69661@rpi4.gilescoppice.lan> In-Reply-To: <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> References: <20201013160738.GD30207@rpi4.gilescoppice.lan> <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Tue, Oct 13, 2020 at 08:26:23PM +0300, Oleksandr Kryvulia wrote: >> >> [snip] >> block all >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >> pass in quick on $tap_if inet proto tcp from any to ($tap_if) >> >> thanks, > >External traffic to your tap interface arrives through ix0. So you need >to change a third rule: > >block all >pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >pass in quick on $ext_if inet proto tcp from any to ($tap_if) > >Also check net.link.bridge.pfil_member=3D1 Unfortunately this suggestion didn't work for me, but thanks for suggesting. It ends up blocking everything to the vm.=20 I should also have mentioned my full context originally:=20 What I have in this instance is a freebsd host running a freebsd=20 vm through bhyve. Both the host and the vm have real ips.=20 The vm wants full access as it has its own pf within itself.=20 The host wants ssh open and no more. I can lock down the ssh server on the host with sshd_config plus some additions to sysctl.conf, without involving pf at all. I just wondered if I can do it with pf on the=20 host. I'm surprised there's no mention of this type of config in=20 the handbook. I would have thought it was common? I've also tried set skip on $tap_if to no effect, in that if I apply this (but have the allow only ssh to $ext_if), then I can't access the vm on the vm's open ports. Clearly I'm doing something wrong. >As for me I prefer to have=A0 all IPs and filter it on bridge interface and >not on members. How do you do that? It's probably (if I understand correctly) not for me because I'm using bhyve, and $ext_if and $tap_if are both members and they need different access. But I'd be interested how you're filtering on the bridge interface. --=20 J. --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAl+GVlsACgkQs8o7QhFz NAWc+Q/8D/rwjrPS90qb6Qc2y5ybUC+La2Hnbge5xr5NgwJHk+oRaG6EkxhcHCND CmeyZ+btvEN8v3c0wAnAUYN8Fj7qroN14/odUcHLNes8Wro268DqMQVd/0Jvd+5Y PWO7sI8bcjzl4ePCO9ibftNX4gzH2fuphK5cTmvflpsdstp2+LVhTezJGHJS/b0g 4+mKHlv5kb8tCMZwc3jkgfCoY5wVcmtfprYJp/A36SEUkwz7Y9dLnuFAezHj9hcJ h1HjWMvxccfZM4qccyK4jFOPfyes97CYAeZq8zVO5Hn0feEbpf42SaFG6SdGWa2i RJgt3NZY8q/gg2guDHYoi5eGMY4hcD/rrQMOKbhu/5ijWfp3NrvZDMHNGZ3AIHbk 8p/RdKVXl5ycV5acb5xU0RpupLZaaC7K7xlZbcSK3y7XEKIUpnlyQJdp/6XJWTeA JisEND17iSkL/0Itqsl6Ch5lK/rq5p9/BUyFdDKHEGrreyJ6jEr7tMTwxHeXsVWq UgpSSQ8CvxFINj2Mqggfw2/OCiAUpNFJf+0M4hsyKY6kshdIMCloKtTCOxKo4QWG wI2e5vzc408ghAVZAVmALCEtr7Jt1VBgeyyQypBN7Kz5HYnfKbmWurIWy3lAXzJd dnRAno7O/adx4w+wcYDTu4U94wP+WWv2zOxowPdXvv6nv2DiKr4= =CsxS -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201014013740.GA69661>